MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ab13a8d2d4fa6f6131978f7c0afe966d1e5374b1a23982c2d4a8b695cfe01b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Arechclient2


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash: 8ab13a8d2d4fa6f6131978f7c0afe966d1e5374b1a23982c2d4a8b695cfe01b4
SHA3-384 hash: 274152e4d5f3f248620d6b380c8c019a2076a13ff9c49788b3c1fd06ce28a6d286392bc24fd1f3e38302b5c1e3168975
SHA1 hash: ea04b46fa51744ec839de5b251be504c0b54e4cc
MD5 hash: c779a6eaa654cd63e6311ba896d47511
humanhash: sad-ink-sierra-montana
File name:adv.msi
Download: download sample
Signature Arechclient2
File size:21'299'200 bytes
First seen:2026-06-01 17:55:12 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:kajXtD7hWR0s+XF3xFgbJAfhKa6T079spKPKAvCDYmi2UBqWNgAiQF+CWRPsEEYl:LpYRB+V3xFYJA5Ka6QxDCAo5kgGgpP5d
TLSH T10C273317EDE6B639C86B0B399C20DA349F3DBCA87E90D82963153949A071FC193F4365
TrID 53.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
39.2% (.MSP) Windows Installer Patch (44509/10/5)
7.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:Arechclient2 msi

Intelligence


File Origin
# of uploads :
1
# of downloads :
71
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
MSI
an embedded setup program or component
Verdict:
Malicious
Score:
70%
Tags:
shellcode virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm CAB expand expired-cert explorer installer installer lolbin obfuscated reconnaissance
Verdict:
Malicious
File Type:
msi
First seen:
2026-06-02T01:47:00Z UTC
Last seen:
2026-06-02T09:27:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.Dllhijack.euj HEUR:Trojan-Dropper.OLE2.Agent.gen
Result
Threat name:
n/a
Detection:
clean
Classification:
n/a
Score:
11 / 100
Behaviour
Behavior Graph:
n/a
Gathering data
Gathering data
Threat name:
Win32.Trojan.Qwexlafiba
Status:
Malicious
First seen:
2026-06-01 14:45:43 UTC
File Type:
Binary (Archive)
Extracted files:
929
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
sectoprat
Similar samples:
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation ransomware
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Malware family:
ArechClient2
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_SliverFox_String
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Author:malware-lu
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments